CVE-2025-33108
📋 TL;DR
This vulnerability in IBM Backup, Recovery and Media Services for i allows users with program compilation or restoration privileges to escalate their access rights. An attacker could execute arbitrary code with elevated system privileges, potentially compromising the entire host operating system. This affects IBM i systems running BRMS versions 7.4 and 7.5.
💻 Affected Systems
- IBM Backup, Recovery and Media Services for i
📦 What is this software?
I by Ibm
I by Ibm
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary code with full operating system access, potentially leading to data theft, system destruction, or persistent backdoor installation.
Likely Case
Privilege escalation allowing authenticated users to gain unauthorized administrative access to the IBM i system and its resources.
If Mitigated
Limited impact if proper access controls restrict who can compile or restore programs, and if network segmentation isolates vulnerable systems.
🎯 Exploit Status
Exploitation requires authenticated access with specific program compilation/restoration privileges. The vulnerability involves library unqualified calls in BRMS programs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM i Group PTF SF99725 level 38 or later for 7.4, and SF99725 level 18 or later for 7.5
Vendor Advisory: https://www.ibm.com/support/pages/node/7236663
Restart Required: Yes
Instructions:
1. Check current PTF level using DSPSFWRSC. 2. Apply IBM i Group PTF SF99725. 3. Apply any prerequisite PTFs listed in the advisory. 4. Restart the system. 5. Verify PTF installation using WRKPTFGRP.
🔧 Temporary Workarounds
Restrict Program Compilation/Restoration Privileges
ibmiLimit users who have *PGMR or *SECADM authority to only trusted administrators
Use CHGUSRAUT or similar IBM i commands to modify user authorities
Implement Least Privilege Access
ibmiReview and restrict user access to BRMS functions and program libraries
Use WRKOBJOWN, WRKAUT, and DSPAUT commands to audit object authorities
🧯 If You Can't Patch
- Implement strict access controls to limit who can compile or restore programs on the system
- Monitor and audit all program compilation and restoration activities for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check BRMS version using DSPSFWRSC and verify if running 7.4 or 7.5 without the required PTF levelCheck Version:
DSPSFWRSCVerify Fix Applied:
Verify PTF SF99725 is installed at required level using WRKPTFGRP SF99725📡 Detection & Monitoring
Log Indicators:
- Unauthorized program compilation attempts
- Suspicious library calls from BRMS programs
- Unexpected privilege escalation events
Network Indicators:
- Unusual authentication patterns to IBM i systems
- Suspicious file transfers involving BRMS libraries
SIEM Query:
source="ibm_i" AND (event="program_compile" OR event="library_call") AND user_privilege_change="true"